Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays

Rust-Based VENON Malware Targets 33 Brazilian Banks with Credential-Stealing Overlays Ravie LakshmananMar 12, 2026Malware / Cybercrime Cybersecurity researchers have disclosed details of a new banking malware targeting Brazilian users that's written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem. The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed VENON by Brazilian cybersecurity company ZenoX. What makes VENON notable is that it shares behaviors that are consistent with established banking trojans targeting the region, such as Grandoreiro, Mekotio, and Coyote, specifically when it comes to features like banking overlay logic, active window monitoring, and a shortcut (LNK) hijacking mechanism. The malware has not been attributed to any previously documented group or campaign. However, an earlier version of the artifact, dating back to January 2026, has been found to expose full paths from the malware author's development environment. The paths repeatedly reference a Windows machine username "byst4" (e.g., "C:\Users\byst4\..."). "The Rust code structure presents patterns suggesting a developer familiar with the capabilities of existing Latin American banking trojans, but who used generative AI to rewrite and expand these functionalities in Rust, a language that requires significant technical experience to use at the observed level of sophistication," ZenoX said. VENON is distributed by means of a sophisticated infection chain that uses DLL side-loading to launch a malicious DLL. It's suspected that the campaign leverages social engineering ploys like ClickFix to trick users into downloading a ZIP archive containing the payloads by means of a PowerShell script. Once the DLL is executed, it performs nine evasion techniques, including anti-sandbox checks, indirect syscalls, ETW bypass, and AMSI bypass, before actually initiating any malicious actions. It also reaches out to a Google Cloud Storage URL to retrieve a configuration, install a scheduled task, and establish a WebSocket connection to the command-and-control (C2) server. Also extracted from the DLL are two Visual Basic Script blocks that implement a shortcut hijacking mechanism exclusively targeting the Itaú banking application. The components work by replacing the legitimate system shortcuts with tampered versions that redirect the victim to a web page under the threat actor's control. The attack also supports an uninstall step to undo the modifications, suggesting that the operation can be remotely controlled by the threat actor to restore the shortcuts to what they originally were to cover up the tracks. In all, the banking malware is equipped to target 33 financial institutions and digital asset platforms by monitoring the window title and active browser domain, springing into action only when any of the targeted applications or websites are opened to facilitate credential theft by serving fake overlays. The disclosure comes amid campaigns where threat actors are exploiting the ubiquity of WhatsApp in Brazil to distribute a worm named SORVEPOTEL via the messaging platform's desktop web version. The attack hinges on abusing previously authenticated chats to deliver malicious lures directly to victims, ultimately resulting in the deployment of banking malware such as Maverick, Casbaneiro, or Astaroth. "A single WhatsApp message delivered through a hijacked SORVEPOTEL session was sufficient to draw a victim into a multi-stage chain that ultimately resulted in an Astaroth implant running fully in memory," Blackpoint Cyber said. "The combination of local automation tooling, unsupervised browser drivers, and user-writable runtimes created an unusually permissive environment, allowing both the worm and the final payload to establish themselves with minimal friction." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  banking malware, Credential Theft, Cybercrime, cybersecurity, Malware, Messaging Security, Rust Programming, social engineering, Threat Intelligence, windows security Trending News Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Load More ▼ Popular Resources 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps